Locky Poses Real Threat - Ransomware Exploding
Locky, a new family of ransomware that emerged in the last few weeks, has quickly made a mark for itself. SIM2K has seen several instances of client's files being encrypted and made non-accessible as their network has been infected with this malware. Locky has become a commonly seen type of ransomware, which is used to hold a computer’s files hostage pending a ransom payment.
Trustwave’s SpiderLabs indicates that 18% of 4 million spam messages it collected in the first week of March were ransomware-related, including many linked to Locky.
Locky is distributed through spam messages that have been sent through the same botnet used to send a similar online banking malware.
Security vendor Fortinet studied statistics collected by its Intrusion Prevention System software between Feb. 17 and March 2. The software detects when ransomware connects to command-and-control servers used by cybercriminals to manage the malware. It found that about 16.4% of 18 million communications it detected were for Locky infections, with the rest belonging to CryptoWall and TeslaCrypt, the other top ransomware families.
“As predicted, Locky already covers a big chunk of the infections,” said a senior antivirus analyst with Fortinet. Most of the Locky infections appear to be in the U.S., France and Japan, he wrote.
The FBI warns that ransomware has become one of the biggest threats to consumers and businesses. Although some ransomware writers made mistakes in their code early on, there’s usually no way to recover the files if the decryption key is not released. The ransom is usually a few hundred dollars, with detailed instructions displayed to victims for how to pay in bitcoin. Security experts generally recommend backing up files to recover from a ransomware attack and ensuring the backup drive can’t be reached by malware.
SIM2K has security policies that will help clients defend against Locky, but it is still important to practice "safe surfing" of any information coming over the Internet, especially in e-mails that contain any attachments or files that are not expected as part of your every-day business activities. For example, if you do not receive shipping notices from FedEx or UPS and suddenly get one, be very suspicious of this notice and do not click on any links. Look out for spoofed or "almost correct" e-mails, such as one SIM2K received from "Costo" -- a quick glance might make you think this is from Costco, but close examination proves this to be deceptive e-mail header. For more information on defense against Locky and other mailware, contact SIM2K immediately.
Additional Information (from arstechnica):
Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.
The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.
According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
"If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page," SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. "Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble."
Update: According to a just-published post from Malwarebytes, a flurry of malvertising appeared over the weekend (3/12-13), almost out of the blue. It hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon. The attacks are flowing from two suspicious domains, including trackmytraffic[c],biz and talk915[.]pw.
The ads are also spreading on sites including answers.com, zerohedge.com, and infolinks.com, according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia[.]com. Whois records show it was owned by an online marketer until January 1, when the address expired. It was snapped up by its current owner on March 6, a day before the malicious ad onslaught started.
Other domain names being used in the current campaign include evangmedia[.]com and shangjiamedia[.]com. The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address.
The campaign underscores the vital role that smart browsing plays in staying secure online. One of the most important things users can do is to decrease what researchers refer to as their "attack surface." That means uninstalling things like Adobe Flash, Oracle Java, Microsoft Silverlight, and other third-party browser extensions unless absolutely required. The other crucial ingredient in safe browsing is installing updates as soon as they become available and using the 64-bit version of Chrome for browsing when possible. Windows users would also do well to install Windows 10 and use Microsoft's Enhanced Mitigation Experience Toolkit.
The posts didn't elaborate on the crypto ransomware being spread in the campaigns, except for the mention by SpiderLabs that it included TeslaCrypt, which so far is known to infect only Windows computers. With last week's discovery of Mac-based ransomware, users of all computing platforms should take the threat seriously.
Windows 10 Notifications
As the year-long free upgrade offer for Windows 10 nears the halfway mark, Microsoft has announced new plans to begin displaying the GWX (“Get Windows 10”) taskbar icon and upgrade prompts on business PCs that had previously been off-limits.
This plan does not offer a "No Thanks" button on the GWX prompts, so it will not go away. However, Microsoft has provided a means to permit IT pros to opt a customer’s PC out of the automatic upgrade and disable the GWX icon.
This new upgrade policy affects computers that are part of a company network, or “domain,” whereas originally the GWX option applied only to stand-alone (i.e. home) machines. Domain-joined PCs running Windows 7 Professional, Windows 7 Ultimate, or Windows 8.1 Pro that are configured to receive updates directly from Windows Update will begin seeing the GWX taskbar icon shortly. Domain-joined PCs that get updates through another mechanism, such as Windows Server Update Services, are not affected.
We are writing because your organization is subject to this new Microsoft upgrade policy. Our current recommendation is for organizations to hold off on updating to Windows 10 until it is more stable in the marketplace and you feel the change would be worthwhile for your company. If you wish to block this aggressive approach to updating by Microsoft, please contact SIM2K at 317.251.7920 and let us know you would like the Windows 10 blocker on your computers. It should only take a few minutes as we connect remotely and manually put the block in place.
If your company has remote users, please make arrangements for them to come into your office, connect directly to your company’s network to receive the block, then have them reboot their laptop. Or, they may call us to connect directly as stated above to install the block.
Don’t hesitate to call or send us an e-mail if you have questions or need more information on the Windows 10 update and how best to allow us to help you get this block installed on your network and employees’ computers